Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a security evaluation. Computer products are often required to achieve a particular assurance level certification in order to be sold to the government.
Higher assurance levels reflect added assurance requirements that must be met to achieve a particular certification. The general intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.
To achieve a particular EAL, the computer system must generally meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification therefore generally costs more money and takes more time than achieving a lower one. Virtually all currently available embedded avionics systems operate at a system high classification protocol, meaning that all data residing on the system must be treated as if classified at the aggregate classification level of all system resident data. This negatively impacts system performance by restricting and/or delaying data sharing with other networked systems—a constraint that directly conflicts with the goal of improved information sharing. Operating at system high also increases total system cost of ownership by requiring system operators to clear all personnel that touch the system to the aggregate classification of all hosted data.
In an attempt to address this deficiency in the prior art, multiple independent levels of security (MILS) operating systems known as separation kernels (SK) have been developed to provide full data separation and hence Multiple Levels of Security (MLS) operation which is a prerequisite to providing embedded airborne platform network connectivity. However, in such prior art systems, data separation is achieved between different virtual address spaces on a single processor, not across multiple processors typically found in an embedded avionics systems or multiple networked systems.
Accordingly, what is desired is a software architecture for use in embedded avionics systems that provides full data separation in the Multiple Independent Levels of Security (MILS) model across multiple processors, in a cost-effective manner.